OWASP Israel 2007 Conference was held at the Interdisciplinary Center (IDC) Herzliya on Dec 3rd 2007. More than 200 people attended the conference and enjoyed interesting presentations, a great networking opportunity. OWASP Israel 2007 became a must be for any application security professional and drew a lot of people from the wider information security community as well.

OWASP Israel 2007 Conference was held at the Interdisciplinary Center (IDC) Herzliya on Dec 3rd 2007. More than 200 people attended the conference and enjoyed interesting presentations, a great networking opportunity. OWASP Israel 2007 became a must be for any application security professional and drew a lot of people from the wider information security community as well.

Revision as of 09:18, 15 December 2008

OWASP Israel 2007 Conference was held at the Interdisciplinary Center (IDC) Herzliya on Dec 3rd 2007. More than 200 people attended the conference and enjoyed interesting presentations, a great networking opportunity. OWASP Israel 2007 became a must be for any application security professional and drew a lot of people from the wider information security community as well.

Program

Cross Site Request Forgery (CSRF) made the highest entry into this year's version of the OWASP top 10, jumping straight to number 5. But as common and dangerous as it is, CSRF has remained obscured to many, and the ways to protect your application even less well understood. This turbo talk will provide an overview of CSRF and the common ways to mitigate it, leading to Amichai Shulman’s presentation which will present innovative methods for protecting from CSRF.

Ofer will also update on the OWASP 2007 conference in San Jose and other OWASP news.

Amichai will present a novel approach for solving client side solutions which would naturally be considered out of reach for server applications such as CSRF and JavaScript Hijacking. The method uses a gateway to inject a script that will require feedback from the client. If you have seen the presentation about content injection in the last OWASP IL meeting and felt it lacked actual working examples, Amichai provides some very strong evidence of the usefulness of this method.

Hunting Down XSS Vulnerabilities

Erez Metula, Application Security Department Manager, 2Bsecure

XSS is the most common web application vulnerability and leads the OWASP top 10. The lecture will discuss automatic and manual approaches for detecting XSS vulnerabilities. Erez will present tools used to find XSS vulnerabilities as well as innovative method to overcome obstacles when looking for vulnerabilities.

How Dangerous Is It Out There?

Dror Paz, Director of Professional Services, Breach Security

One of the key issues facing application security professionals is the lack of information about the actual risk. The number of reported incidents is small, and therefore while the potential danger of web layer attacks is known, whether and how this potential is abused is a great mystery. In the presentation, Dror Paz will show what’s really happening out there, based on work done in project such as the open proxy honeypot project, WASC statistics project and the Web Hacking Incidents database as well as information gathered (incognito) from Breach installations around the globe.

this presentation was canceled since Dror was sick and would be rescheduled for a future OWASP meeting.

As application security specialists we need to follow up with information technology trends. Service Oriented Architecture (SOA) is a new method for developing large scale enterprise applications that promise to revolutionize the IT landscape. Applications built around SOA isolates each business process into a separate service that can serve and interconnect with other services. SOA can use different technologies such as XML, Web Services and SOAP as its infrastructure. The presentation will explain SOA and discuss the security features and considerations when adapting SOA.

While public key cryptography and client side certificates have certainly proved to be a very valuable security mechanism, blind reliance on them may lead to a disaster. These complex technologies are prone to implementation and deployment mistakes that hinders them useless. Ofer will discuss and demonstrate some common implementation pitfalls he often sees in real life PKI based authentication systems.

Skype has revolutionized the way we use VoIP and has entered almost every network and all parts of the Internet. However, little is known about the way the Skype Network operates. Further, since its traffic is encrypted and bypasses firewalls, the network administrators have almost no ability to monitor or filter Skype.
In this work we explore the possibility of filtering Skype traffic by harvesting its Super Nodes (SNs), which form the heart of Skype, and of blocking the network nodes from connecting to them. Using experimental results and an analytic model we show that it is possible to collect a large enough number of SNs as to block, with a probability higher than 95%, the service for an arbitrary connecting client.

This talk is based on a research project done with Dr. Anat Bremler-Barr (IDC) & Prof. Hanoch Levy (ETH)

SQL Injection is a common, well-understood application-level attack against databases. Several protection mechanisms exist for protecting from SQL injection attacks, including input validation and use of stored procedures. The presentation will discuss novel techniques to bypass these protection mechanisms by exploiting differences in interpretation between systems.

This is a new research work presented for the first time in OWASP Israel 2007.